From e47cde09e3b2d8736be1383496d5e5821d5b73fc Mon Sep 17 00:00:00 2001 From: Jeff Geerling Date: Wed, 17 Jun 2015 23:57:35 -0500 Subject: Bump Travis to test a little nicer. --- .travis.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.travis.yml b/.travis.yml index 556ece7..c69e288 100644 --- a/.travis.yml +++ b/.travis.yml @@ -21,6 +21,7 @@ script: # Run the role/playbook with ansible-playbook. - "ansible-playbook -i tests/inventory tests/$SITE --connection=local --sudo" + - "ansible-playbook -i tests/inventory tests/$SITE --connection=local --sudo" # Run the role/playbook again, checking to make sure it's idempotent. - > -- cgit v1.2.1 From a62270617e954dd017b5389de32ffeb8103c0f09 Mon Sep 17 00:00:00 2001 From: Jeff Geerling Date: Thu, 18 Jun 2015 00:11:29 -0500 Subject: Undo the Travis bump. --- .travis.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index c69e288..556ece7 100644 --- a/.travis.yml +++ b/.travis.yml @@ -21,7 +21,6 @@ script: # Run the role/playbook with ansible-playbook. - "ansible-playbook -i tests/inventory tests/$SITE --connection=local --sudo" - - "ansible-playbook -i tests/inventory tests/$SITE --connection=local --sudo" # Run the role/playbook again, checking to make sure it's idempotent. - > -- cgit v1.2.1 From df7f9eb615cf94cb6ba0163c361fc4bdb7956f72 Mon Sep 17 00:00:00 2001 From: Jeff Geerling Date: Fri, 17 Jul 2015 21:20:31 -0500 Subject: Fixed documentation and linux distro information. --- README.md | 2 +- meta/main.yml | 2 +- tasks/main.yml | 22 +++++++++++++--------- 3 files changed, 15 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 92ac061..49a459f 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,7 @@ None. ## Role Variables -Available variables are listed below, along with default values (see `vars/main.yml`): +Available variables are listed below, along with default values (see `defaults/main.yml`): ntp_enabled: true diff --git a/meta/main.yml b/meta/main.yml index 2731fc2..dc85d17 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -3,7 +3,7 @@ dependencies: [] galaxy_info: author: geerlingguy - description: NTP installation and configuration for RHEL/CentOS 6.x. + description: NTP installation and configuration for Linux. company: "Midwestern Mac, LLC" license: "license (BSD, MIT)" min_ansible_version: 1.4 diff --git a/tasks/main.yml b/tasks/main.yml index b71ac16..2844315 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -3,7 +3,11 @@ include_vars: "{{ ansible_os_family }}.yml" - name: Set the correct timezone. - file: src=/usr/share/zoneinfo/{{ ntp_timezone }} dest=/etc/localtime state=link force=yes + file: + src: "/usr/share/zoneinfo/{{ ntp_timezone }}" + dest: /etc/localtime + state: link + force: yes - name: Install NTP (RedHat). yum: name=ntp state=installed @@ -18,15 +22,15 @@ when: ansible_os_family == 'FreeBSD' - name: Ensure NTP is running and enabled at system start. - service: > - name={{ ntp_daemon }} - state=started - enabled=yes + service: + name: "{{ ntp_daemon }}" + state: started + enabled: yes when: ntp_enabled - name: Ensure NTP is stopped and disabled at system start. - service: > - name={{ ntp_daemon }} - state=stopped - enabled=no + service: + name: "{{ ntp_daemon }}" + state: stopped + enabled: no when: not ntp_enabled -- cgit v1.2.1 From 50fe94fe2600178a4d3685808a2aab9926b20e17 Mon Sep 17 00:00:00 2001 From: Jeff Geerling Date: Fri, 17 Jul 2015 21:53:57 -0500 Subject: Disable ntp for testing on Travis infrastructure. --- tests/test.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/test.yml b/tests/test.yml index 9093df7..794470d 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -1,5 +1,9 @@ --- - hosts: localhost remote_user: root + + vars: + ntp_enabled: false + roles: - ansible-role-ntp -- cgit v1.2.1 From 2bfe67855da09a0b3b1cdb0d751b115fa42f1c36 Mon Sep 17 00:00:00 2001 From: Jeff Geerling Date: Thu, 3 Mar 2016 14:43:58 -0600 Subject: Updates for Ansible Galaxy 2.0. --- .travis.yml | 4 ++++ meta/main.yml | 28 ++++++++++++++-------------- 2 files changed, 18 insertions(+), 14 deletions(-) diff --git a/.travis.yml b/.travis.yml index 556ece7..11a7369 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,4 +1,5 @@ --- +sudo: required language: python python: "2.7" @@ -28,3 +29,6 @@ script: | grep -q 'changed=0.*failed=0' && (echo 'Idempotence test: pass' && exit 0) || (echo 'Idempotence test: fail' && exit 1) + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ diff --git a/meta/main.yml b/meta/main.yml index dc85d17..2070ebc 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -6,19 +6,19 @@ galaxy_info: description: NTP installation and configuration for Linux. company: "Midwestern Mac, LLC" license: "license (BSD, MIT)" - min_ansible_version: 1.4 + min_ansible_version: 1.8 platforms: - - name: EL - versions: - - all - - name: Debian - versions: - - all - - name: Ubuntu - versions: - - all - - name: FreeBSD - versions: - - all - categories: + - name: EL + versions: + - all + - name: Debian + versions: + - all + - name: Ubuntu + versions: + - all + - name: FreeBSD + versions: + - all + galaxy_tags: - system -- cgit v1.2.1 From 567078d7c3ac7190d6748f0cfcd535e82912a12b Mon Sep 17 00:00:00 2001 From: kadecole Date: Thu, 18 Jun 2015 00:23:06 -0500 Subject: Add a managed ntp.conf template. --- defaults/main.yml | 6 ++++++ handlers/main.yml | 3 +++ tasks/main.yml | 12 +++++++++--- templates/ntp.conf.j2 | 22 ++++++++++++++++++++++ 4 files changed, 40 insertions(+), 3 deletions(-) create mode 100644 handlers/main.yml create mode 100644 templates/ntp.conf.j2 diff --git a/defaults/main.yml b/defaults/main.yml index f0fc211..5b47eca 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,3 +1,9 @@ --- ntp_enabled: true ntp_timezone: America/Chicago + +ntp_servers: + - 0.pool.ntp.org iburst + - 1.pool.ntp.org iburst + - 2.pool.ntp.org iburst + - 3.pool.ntp.org iburst diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..ee25a57 --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,3 @@ +--- + - name: restart ntp + service: name={{ ntp_daemon }} state=restarted diff --git a/tasks/main.yml b/tasks/main.yml index 2844315..b6213ba 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -8,18 +8,19 @@ dest: /etc/localtime state: link force: yes + when: ntp_enabled - name: Install NTP (RedHat). yum: name=ntp state=installed - when: ansible_os_family == 'RedHat' + when: ansible_os_family == 'RedHat' and ntp_enabled - name: Install NTP (Debian). apt: name=ntp state=installed - when: ansible_os_family == 'Debian' + when: ansible_os_family == 'Debian' and ntp_enabled - name: Install NTP (FreeBSD). pkgng: name=ntp state=present - when: ansible_os_family == 'FreeBSD' + when: ansible_os_family == 'FreeBSD' and ntp_enabled - name: Ensure NTP is running and enabled at system start. service: @@ -34,3 +35,8 @@ state: stopped enabled: no when: not ntp_enabled + +- name: Generate ntp.conf file + template: src=ntp.conf.j2 dest=/etc/ntp.conf + notify: restart ntp + when: ntp_enabled diff --git a/templates/ntp.conf.j2 b/templates/ntp.conf.j2 new file mode 100644 index 0000000..b0ddb0c --- /dev/null +++ b/templates/ntp.conf.j2 @@ -0,0 +1,22 @@ +# {{ ansible_managed }} + +# Default NTP servers for the operating system. +{% for item in ntp_servers %} +server {{ item }} +{% endfor %} + +# Security: +# +# By default, only allow time queries and block all other requests +# from unauthenticated clients. +# +# See http://support.ntp.org/bin/view/Support/AccessRestrictions +# for more information. +# +restrict default kod limited nomodify notrap nopeer noquery +restrict -6 default kod limited nomodify notrap nopeer noquery + +# The following settings allow unrestricted access from the localhost +restrict 127.0.0.1 +restrict -6 ::1 +restrict 127.127.1.0 -- cgit v1.2.1 From 9c0a3ce4ff0c8bc00dbb8497193c2fc5f015c5aa Mon Sep 17 00:00:00 2001 From: Jeff Geerling Date: Thu, 3 Mar 2016 22:45:52 -0600 Subject: NTP configuration cleanup and add documentation for new vars. --- README.md | 17 ++++++++--- defaults/main.yml | 1 + handlers/main.yml | 2 +- tasks/main.yml | 13 ++++----- templates/ntp.conf.j2 | 78 +++++++++++++++++++++++++++++++++++++++++---------- tests/test.yml | 1 + 6 files changed, 85 insertions(+), 27 deletions(-) diff --git a/README.md b/README.md index 49a459f..0a28255 100644 --- a/README.md +++ b/README.md @@ -20,6 +20,17 @@ Whether to start the ntpd service and enable it at system boot. On many virtual Set the timezone for your server. + ntp_manage_config: false + +Set to true to allow this role to manage the NTP configuration file (`/etc/ntp.conf`). + + ntp_servers: + - 0.pool.ntp.org iburst + - 1.pool.ntp.org iburst + - 2.pool.ntp.org iburst + - 3.pool.ntp.org iburst + +Specify the NTP servers you'd like to use. Only takes effect if you allow this role to manage NTP's configuration, by setting `ntp_manage_config` to `true`. ## Dependencies @@ -27,11 +38,9 @@ None. ## Example Playbook - - hosts: db-servers - vars_files: - - vars/main.yml + - hosts: all roles: - - { role: geerlingguy.ntp } + - geerlingguy.ntp *Inside `vars/main.yml`*: diff --git a/defaults/main.yml b/defaults/main.yml index 5b47eca..3ec5741 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -2,6 +2,7 @@ ntp_enabled: true ntp_timezone: America/Chicago +ntp_manage_config: false ntp_servers: - 0.pool.ntp.org iburst - 1.pool.ntp.org iburst diff --git a/handlers/main.yml b/handlers/main.yml index ee25a57..eb57480 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,3 +1,3 @@ --- - name: restart ntp - service: name={{ ntp_daemon }} state=restarted + service: "name={{ ntp_daemon }} state=restarted" diff --git a/tasks/main.yml b/tasks/main.yml index b6213ba..6a58382 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -8,28 +8,27 @@ dest: /etc/localtime state: link force: yes - when: ntp_enabled - name: Install NTP (RedHat). yum: name=ntp state=installed - when: ansible_os_family == 'RedHat' and ntp_enabled + when: ansible_os_family == 'RedHat' - name: Install NTP (Debian). apt: name=ntp state=installed - when: ansible_os_family == 'Debian' and ntp_enabled + when: ansible_os_family == 'Debian' - name: Install NTP (FreeBSD). pkgng: name=ntp state=present - when: ansible_os_family == 'FreeBSD' and ntp_enabled + when: ansible_os_family == 'FreeBSD' -- name: Ensure NTP is running and enabled at system start. +- name: Ensure NTP is running and enabled as configured. service: name: "{{ ntp_daemon }}" state: started enabled: yes when: ntp_enabled -- name: Ensure NTP is stopped and disabled at system start. +- name: Ensure NTP is stopped and disabled as configured. service: name: "{{ ntp_daemon }}" state: stopped @@ -39,4 +38,4 @@ - name: Generate ntp.conf file template: src=ntp.conf.j2 dest=/etc/ntp.conf notify: restart ntp - when: ntp_enabled + when: ntp_manage_config diff --git a/templates/ntp.conf.j2 b/templates/ntp.conf.j2 index b0ddb0c..cc1e0f0 100644 --- a/templates/ntp.conf.j2 +++ b/templates/ntp.conf.j2 @@ -1,22 +1,70 @@ # {{ ansible_managed }} -# Default NTP servers for the operating system. +# For more information about this file, see the man pages +# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5). + +driftfile /var/lib/ntp/drift + +# Enable this if you want statistics to be logged. +#statsdir /var/log/ntpstats/ + +statistics loopstats peerstats clockstats +filegen loopstats file loopstats type day enable +filegen peerstats file peerstats type day enable +filegen clockstats file clockstats type day enable + +# Use public servers from the pool.ntp.org project. +# Please consider joining the pool (http://www.pool.ntp.org/join.html). {% for item in ntp_servers %} server {{ item }} {% endfor %} -# Security: -# -# By default, only allow time queries and block all other requests -# from unauthenticated clients. -# -# See http://support.ntp.org/bin/view/Support/AccessRestrictions -# for more information. -# -restrict default kod limited nomodify notrap nopeer noquery -restrict -6 default kod limited nomodify notrap nopeer noquery - -# The following settings allow unrestricted access from the localhost +# Permit time synchronization with our time source, but do not +# permit the source to query or modify the service on this system. +restrict default nomodify notrap nopeer noquery + +# Permit all access over the loopback interface. This could +# be tightened as well, but to do so would effect some of +# the administrative functions. restrict 127.0.0.1 -restrict -6 ::1 -restrict 127.127.1.0 +restrict ::1 + +# Clients from this (example!) subnet have unlimited access, but only if +# cryptographically authenticated. +#restrict 192.168.123.0 mask 255.255.255.0 notrust + +# Enable public key cryptography. +#crypto + +#includefile /etc/ntp/crypto/pw + +# Key file containing the keys and key identifiers used when operating +# with symmetric key cryptography. +#keys /etc/ntp/keys + +# Specify the key identifiers which are trusted. +#trustedkey 4 8 42 + +# Specify the key identifier to use with the ntpdc utility. +#requestkey 8 + +# Specify the key identifier to use with the ntpq utility. +#controlkey 8 + +# Enable writing of statistics records. +#statistics clockstats cryptostats loopstats peerstats + +# Disable the monitoring facility to prevent amplification attacks using ntpdc +# monlist command when default restrict does not include the noquery flag. See +# CVE-2013-5211 for more details. +# Note: Monitoring will not be disabled with the limited restriction flag. +disable monitor + +# If you want to provide time to your local subnet, change the next line. +# (Again, the address is an example only.) +#broadcast 192.168.123.255 + +# If you want to listen to time broadcasts on your local subnet, de-comment the +# next lines. Please do this only if you trust everybody on the network! +#disable auth +#broadcastclient diff --git a/tests/test.yml b/tests/test.yml index 794470d..34c9773 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -4,6 +4,7 @@ vars: ntp_enabled: false + ntp_manage_config: true roles: - ansible-role-ntp -- cgit v1.2.1